A trust layer for the open social web, rooted in physical co-presence.
Two people meet, tap phones, and walk away with a self-contained, cryptographically signed record that they were in the same place at the same time. Trust is built one handshake at a time, owned by the people doing the handshaking, and portable across AT Protocol and Nostr.
TestFlight beta opening soon · iOS first · Android to follow
The concept
Co-presence is the atom.
When two phones tap, both devices exchange GPS, timestamps, and signatures, then sign the combined hash. The bundle that walks away requires both private keys and the physical channel — no single party can forge it.
Identity lives in the device.
Keys are generated and held in the iOS Secure Enclave / Android StrongBox. Public keys are registered against your AT Protocol DID or Nostr pubkey. We never see them.
Encrypted to identities, not keys.
Messages use NIP-17 gift-wrap. Relays see only opaque kind-1059 wrappers — no metadata about who’s talking to whom. Even hu-net’s developers, with full relay logs, could not read them.
Social recovery, not seed phrases.
Lose your phone? Meet three of your trust contacts. Each one signs an attestation that the new DID is the same person. After a contestation window, your trust history carries over.
The server is optional.
Every attestation verifies standalone from public keys. The backend is an index for fast graph queries — the mobile app runs in a serverless mode where the identity is just a Nostr pubkey.
A quick tour
The journey from a brand-new install through your first handshake, your first encrypted message, and a feed that re-ranks Bluesky through your real-world trust graph.
Dashboard
Your trust network at a glance — direct (verified in person), 2nd-degree (vouched), 3rd-degree (extended).
Verify · find
Frame their hu-code to start a handshake. The camera looks for a nearby device.
Verify · identify
Identity surfaces. Vouching adds them to your trust circle.
Verify · welcomed
Mutual. The attestation bundle is signed by both devices and verifies offline forever after.
Connection
"Human verified · In person · You shook hands." Every connection links to messages and graph position.
Messages
End-to-end encrypted with NIP-17 gift-wrap. Relays see only opaque wrappers.
Feed · direct
Bluesky posts from people you’ve verified in person, tagged DIRECT.
Feed · public
Same Bluesky firehose, the outermost ring. Same ranker, different trust filter.
Profile
Your Nostr pubkey, Bluesky handle, and linked accounts — all in one place.
What the app actually does
Trust-weighted Bluesky feed
The Feed tab pulls posts from your Bluesky follows and tags every post with the author's trust tier — direct, friend-of-a-friend, extended, or public. A close friend's three-hour-old post beats a stranger's three-minute-old one, without you having to mute the world.
E2E encrypted messages
Direct messages and group chats use NIP-17 gift-wrap. The relay sees only kind-1059 wrappers; no metadata about who's talking to whom. Groups today are fan-out behind a swap-friendly transport seam — MLS / Marmot is the planned upgrade.
Connections, not contacts
Every NFC handshake becomes a Connection you can name, vouch for, or use as a recovery contact. The trust graph that powers the feed and messages is the same graph you build by meeting people.
Want to try it?
A close-friends TestFlight beta opens soon. The source is on GitHub — star or watch the repo to follow progress.